DMCA hash-matching: Dropbox checks your files against a banned list

In March 2014 a designer, Darrell Whitelaw, tweeted a screenshot showing that Dropbox had blocked him from sharing a file, citing a DMCA takedown notice. The image spread quickly and was widely read as proof that Dropbox was rummaging through users' private folders looking for pirated content.

The reality, which Dropbox and reporters clarified, was more specific but still unsettling to many users. When a file is shared via a public link, Dropbox computes the file's cryptographic hash — a fixed-length fingerprint — and checks it against a blacklist of hashes for files that have previously received DMCA takedown notices. If the hashes match, Dropbox blocks the share. Dropbox stressed that the check applies only to files being shared, not to private folders, that it does not look at the contents of users' files, and that hash comparison does not require a human to view anything.

Even granting that distinction, the episode revealed that Dropbox runs automated content-matching against users' files at the moment of sharing — capability that depends on Dropbox being able to fingerprint stored files, and that many users had not realized existed. It reinforced, in concrete terms, that 'private' on Dropbox meant the company chose not to look, not that it could not.